Date
1 - 4 of 4
Self-signed cert for registry failing on stager
|
Tom Sherrod <tom.sherrod@...>
Successfully deployed from a registry with a public cert.
A registry with a private/self-signed cert fails at the stager. I've got the name of the registry in insecure_docker_registry_list and insecure_docker_registry: true in the manifest. On the cell, the garden-linux process is running with -insecureDockerRegistryList=theregistryname. On the stager, the stager process is running with -insecureDockerRegistry -logLevel=info Shouldn't theregistryname also be in stager arguments? The error: 2015-08-27T18:43:00.50-0400 [STG/0] ERR builder exited with error: failed to fetch metadata from [theregistryname/tom/diegotest] with tag [latest] and insecure registries [] due to Invalid registry endpoint https://theregistryname/v1/: Get https://theregistryname/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry theregistryname` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/theregistryname/ca.crt (change the hostname to "theregistryname" in this message...the real hostname can be resolved and reached on each machine) |
|
|
|
James Bayer
perhaps see if the lattice instructions for private registries have any
toggle quoted message
Show quoted text
hints for you: http://lattice.cf/docs/private-docker-registry/ On Thu, Aug 27, 2015 at 4:50 PM, Tom Sherrod <tom.sherrod(a)gmail.com> wrote:
Successfully deployed from a registry with a public cert. --
Thank you, James Bayer |
|
|
|
Will Pragnell <wpragnell@...>
On the stager, the stager process is running with -insecureDockerRegistry-logLevel=info. Shouldn't theregistryname also be in stager arguments? No, that flag is simply a boolean switch [1]. The error:2015-08-27T18:43:00.50-0400 [STG/0] ERR builder exited with error: failed to fetch metadata from [theregistryname/tom/diegotest] with tag [latest] and insecure registries [] due to Invalid registry endpoint https://theregistryname/v1/: Gethttps://theregistryname/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry theregistryname` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/ theregistryname/ca.crt This message comes from `docker_app_lifecycle` [2]. It looks like that's called by the stager, but for some reason the stager isn't passing the right args through to it in your case. I'm afraid I don't know the Diego code well enough to speculate as to why, but if you want to continue tracing it through, you might want to start at [3], which is where the stager works out what args it will pass to `docker_app_lifecycle`. Hope that helps! [1]: https://github.com/cloudfoundry-incubator/stager/blob/master/cmd/stager/main.go#L82 [2]: https://github.com/cloudfoundry-incubator/docker_app_lifecycle [3]: https://github.com/cloudfoundry-incubator/stager/blob/master/backend/docker_backend.go#L321 On 28 August 2015 at 03:46, James Bayer <jbayer(a)pivotal.io> wrote: perhaps see if the lattice instructions for private registries have any |
|
|
|
Tom Sherrod <tom.sherrod@...>
Thank you. The pointer to the code is excellent. I was looking in the right place. An odd part was I actually added the CA to the machine itself and it still did not work.
I finally opted for a mirror registry with a public cert. Now working. |
|
|